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Issue # 1: 

The Examiner has lejected Claims 21 and 22 under 35 U.S.C 1 12, first paragraph, as 
not heing enabled. With respect to Claim 21 , the Examiner has questioned the exact 
implication of tibie "frame_context_pointer_position" limitations. With respect to Claim 
22, the ExamineT has stated that Page 12 of the specification only mentions the mcision 
of *frame_tcp_bTidge;' "fiame_udpjDridge/* "frame Jpjbridge/' and 
'frame^httpjjridge/* but does not give a description of the specific functionality of such 
elements. 

Appellant respectfully asserts that Page 12 of appellant's disclosure describes the fbim 
the API's may take, or, in oflier words, defines the form that the API takes. Thus, 
according to the claims, the API is defined according to 
"£rame_context_pointerj)osition" (Clahn 21) which includes "ftamejcpjbridge; 
frame_udp_bridge; frame_ipj)ridge; and ftame_httpj)ridge" (Clann 22). 

In the Examiner's Answer mailed 06/23/2006, the Examiner argued that "[djefining a 
fozm of an API, as it appears in Page 12 of the specification, is not enabling, as it does 
not disclose what functionality is being communicated on requests between the intmsion 
detection device and tiie data monitoring device." Appellant respectfully disagrees and 
asserts that Page 12 of appellant's disclosure describes that "[t]he APIs 48 are used to 
parse, generate, and load sigoatates^ invoke corresponding signature detection methods 
fiom appropriate protocol contexts, access states required for stateful intrusion 
detection, and access alerts/alarms management facilities/' In addition, appellant 
respectfully asserts that item 48 on Figure 1 and Figure 3, and the accompanymg 
description, would enable one skilled in the art to make and use such an API that is 
claimed in Claims 21 and 22. 

It should be strongly noted that the foregoing citations do not in any way state, suggest, 
or otherwise imply that such claim language is limited in scope to the specific 
embodiments depicted in the drawings or described in the specification in &e instant 
applicatioiL 
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Issue #2: 

The Examiner has rejected Claims 21 and 22 under 35 U.S.C. 112, second paragraph, as 
failing to define the invention. Appellant respectfiilly disagrees. In die Examiner's 
Answer mailed 06/23/2006, the Examiner argued that "[t]he functionality of API's such 
as frame_context_pointer_position, firame_tcp_bridge, frame_udp_bridge, 
frame_ipjbridge, [and] fi:ame_http_bridge is not defined anywhere in the disclosure" 
and that the "[cjlaims are indefinite based in the lack of enablement expressed above." 
Appellant respectfiilly disagrees and references the arguments tnade hereinabove witih 
respect to enablement 

Issue #3: 

The Examiner has lejected Claims 1-20 under 35 U.S.C. 102(e) as being anticipated by 
or» in flie alternative^ unpatentable under 35 U.S.C, 103(a) as being obvious over Vaidya 
(U,S, Patent No. 6;279,113) in view of Ponas (U.S. Patent Application No. 
2003/0101358). 

Group #1: Clatms 1-8, 10. 14-15, and 18-20 

Clafatt Element #1 

With respect to each of the independent claims, and specifically appellant's claimed 
**intrusion detection device separate &om the data monitoring device/' ttie Examiner 
has argued, in the Office Action dated 1 1/30/2005, that appellant's claimed 
'Intrusion detection device separate from the data monitoring device'* is only 
separate in functionality. Appellant respectfully points out page 7, line 14-page 8, 
line 6, along with associated Figure 1, which cleariy shows that the network analysis 
and data monitoring device 16 and Ihe intmsion detection device 14 are separate 
devices, and not merely that they perform separate functionality, as the Examiner 
contends. 
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In tie Examiner's Answer mailed 06/23/2006, the Examiner argued "[a]ppellant*s 
element 18 is shown in Figure 2 as gu& item called MIDAS in ihe network" and 
"[t]lierefoTe, the separation described in disclosure implies nothing more than a 
functional separation, and the broad interpretation of claims and figures is that the 
system is within on element (NIDAS, device 1 8 of Figure 2).'* The Examiner further 
argued tiiat "fimctional separation is not excluded in the claim language." Appellant 
respectftlly asserts that item 18 of Figure 1 is referred to, on Page 7 of appellant's 
disclosure, as "a network mtrusion detection system" which '"provides an intrusion 
detection device 14 in combination with a network analysis and data monitoring device 
1 6*" (emphasis added). Clearly> appellants disclosure that the NEDAS system includes 
a separate intmsion detection device and a separate netwodc analysis and data 
monitoring device suggests that the separation is not jnst functional as argued by the 
Examiner. 

In addition, appellant respectfhUy disagrees with ^ Examiner's assertion that "Vaidya 
discloses [in] the claims. . . a system including functionally separate devices" since Col. 
6, lines 1-1 1 disclose that "[t]he configuration builder module 32 accesses the 
appropriate attack signature profile sets during operation of the data collector 10 and 
provides the attack signature t^roliles to a sta tpfiil HynaTniV. sifm&tur e inspection (SDSD 
virtual processor 36" (emphasis added). Clearly, the mere disclosure that the data 
collector 10 provides attack signatures profiles to a SDSI virtual processor 36, which is 
included within data collector 10, fails to even suggest an "intrasion detection device 
[which is] separate from the data monitoring device" (emphasis added), as claimed by 
appellant. 

Tlie Examiner has also argued that Vaidya does not limit his invention to one 
processor only. In making such an assertion, the Examiner has referenced Figure 4, 
items 36, 34 and 38 as being separate modules to perform separate fimctionalities. 
Appellant respectfully asserts that Figure 4 only discloses modules that work with 
the virtual processor, but not that such modules axe separate processors. Thus» 
appellant respectfully asserts that the only processing device in Vaidya is the virtual 
processor . Furthermore, the modules relied on by the Examiner do not provide the 
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separate functionality claimed by appellant, namely "captur[ing] data passing 
through tbe netovork," **perfoim[ing] intrusion detection," etc. 

In the Examiner's Answer mailed 06/23/2006, the Examiner argued that 'the general 
meaning of the word **processors," which in the context of the subject at hand, is an 
element capable of processing data and performing operations.' Appellant respectfully 
disagrees with the Examiner's argument and asserts that Vaidya merely discloses that 
"[ajlthough a preferred embodiment of the processor employs the software based virtual 
processor 36 to execute attack signature profiles, a hardware based processor can be 
employed in the place of the virtual ijtocessor 36*' (empha^s added). Clearly, Vaidya 
discloses a processor as a fioftwaie based virtual processor or a hardware based 
processor. 

The Examiner's argues that "the purpose for referencing items 36, 34 and 38 m the 
second office action was to indicate that Vaidya is not limited to one processor, and 
discloses use of separate processors performing different parts of operation." However, 
appellant respectfully asserts that item 10 of Figure 2 is disclosed as a ''data collector 10 
[which] includes a communication module 34" "a configuration builder module 32/' "a 
stateful dynamic signattire inspection (SDSI) virtual processor 36/* and a 'Reaction 
module 38" (CoL 6, lines 1-26). Clearlyj, the mere disclosure that data collector 10 
includes a virtual processor and several other modules simply fails to even suggest an 
"intrusion detection device separate j&om the data monitoring device* ' (emphasis added), 
as claimed by appellant 

Still yet, the Examiner has argued that Vaidya performs the functionality of 
appellant's data monitoring device and intmsion detection device in item 36, but that 
such functionality is sepamte as shown in item 40. Appellant respectfully asserts 
that item 40^ Ihe register cache, 'temporarily stores information extracted fiom a 
data packet which determines which signature profile(s) will be accessed fiom the 
signature profile memory 39." Clearly^ such register cache that only stores 
information from data packets does not meet appellant's claimed **data monitoring 
device," ^^ch specifically "'capturelsj data passing flirough the network^'* 
"monitorfs] network traffic/' "decoders] protocols for grouping packets into 
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different protocol presentations and assembling the packets into high level protocol 
groups," and "analyze[s] received data " in the manner claimed by appellant. Thus, 
the functionality of items 36 and 40, as relied on by the Examiner, does not meet 
appellant's specific claim language. 

In the Examiner's Answer mailed 06/23/2006, the Examiner argued that "[r]efening to 
figure 4 again, Vaidya performs Ihe fimctionalitv of applicant's data monitoring device 
and intrusion detection device in item 36, however, within item 36 it discloses item 40 
as a separate device." In addition, the Exammer argues that "Vaidya clearly separates 
the functionality of data collection, as described in Fig 5, liom intmsion detection, as 
described in Figures 6 to 10." 

Appellant respectfully disagrees -with flie Examiner's arguments that Vaidya discloses 
separate data collection and intrusion detection. Appellant respectfully asserts that 
Vaidya merely discloses that **[w]itihi xeference to FIG. 4, the operation of the virtual 
processor 36 includes monitoring network data 46 to determine whether the data is 
associated wifli a networlc intrusion" and that "[a] register cache 40 tBrnporarilv stores 
infonnalion extracted from a data packet which detemiines which signature profiIe(s) 
will be accessed from the signature profile memory 39'' (Col. 7, lines 12-18 - emphasis 
added). In addition, Vaidya discloses that "[t]he virtual nroccssor 36 obtains a data 
packet from a queue and extracts MAC header information, IP header information, 
transport header information, and a pplication information from the data packet** (Col. 7> 
Imes 18-21 - emphasis added). Further, Vaidya discloses that "[r]eferring to FIG. 5, a 
metliod [is shown] for bmlding a register cache 40 during the operation of the virtual 
prDces6or36" and that ''[a]ll of the extracted packet information is entered into the 
register cache 40" (Col, 8, Unes 40-49 - emphasis added). Also, Vaidya discloses that 
"[t]he viittial processor 36 processes flbie attack signature profiles to determine whether 
the packet is associated with a network intrusion attempt" (Col. 7, lines 32-36 - 
erophasis added). 

However, Ifae mere disclosure by Vaidya fliat the virtual processor 36 monitors network 
data 46 and stores extracted data packet information into "Qie register cache 40, and that 
the virtual processor 36 determines if the packet is associated with a network intrusion 
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attempt simply fails to even suggest an "mtrusion detection device separate from the 
data monitoring device' ' (emphasis added), as claimed by appellant. Clearly, the virtual 
processor 36 in Vaidya is performing both the data monitoring, information extraction 
from data packets, and intrusion detection which simply fails to even suggest an 
"intrusion detection device separate from the data monitoring device " (emphasis added), 
as claimed by appellant. 

Furthermore, the Examiner has argued that Vaidya' s claim 1, which claims a method 
of detecting intmsion attempts, is broken down into several steps, mcluding 
monitoring network traffic and network intmsion. Appellant emphasizes that merely 
claiming separate steps does not meet appellant's separate device_s, as claimed. In 
addition, simply claiming monitOTing netwotk traffic, as in Vaidya, does not meet 
appellant's specifically claimed functionality of a data momtortnig device that 
exceeds beyond monitoring network traffic, as excerpted above. 

In the Examiner's Answer mailed 06/23/2006, the Examiner argued that ^^the purpose of 
Examiner's assertion that Vaidya performs operations in separate steps was to establish 
that Vaidya inherendy discloses separate modnles performing separate functionalities." 
In addition> it was argued that &e '"Examiner has not merely relied on separate steps to 
meet appellant separate dgvices " Appellant respectfully asserts that item 10 of Figure 2 
in Vaidya is disclosed as a "data collector 10 [which] includes a coimmmication module 
34," "a configuration builder module 32," "a stateful dynamic signature inspection 
(SDSI) virtual processor 36," and a '"reaction module 38" (CoL 6, lines 1-26). Cleariy, 
the mere disclosure that data collector 10 includes a virtual processor and several other 
modules simply foils to even suggest an "intmsion detection device separate from the 
data monitoring device' " (emphasis added), as claimed by appellant 

Appellant again respectfully asserts that appellant's arguments made in tibie 
Amendment A dated 10/12/2005 on page 7, paragraph 4-page 9, paragraph 1 clearly 
show the distinction between Vaidya and appellant's specific claim language. In 
addition, the Examiner's response in the Office Action dated 1 1/30/2005 failed to 
provide a prior art showing of appellant's claimed technique for the reasons argued 
hereinabove. 
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Claim Element #2 

With lespect to appellant's claimed technique "wherein the application program 
interfaces allow the intrusion detection device to leverage the separate data 
monitoring device, by allowing the intrusion detection device to call an application 
program interface configured to open a protocol decoding application associated 
tvith the separate data monitoring device, and by allowing the intrusion detection 
device to call an application program interfece configured to open an alarm 
generation application associated with the separate data monitoring device/' the 
Examiner has argued that such claim language in addition to tfie specification does 
not point out any advantage in separation of the intrusion detection device and the 
data monitoring device. In response, appellant points out page 8, lines 3-6 which 
states that the componenis, including the intrusion detection device and the network 
analysis and data monitoring device can perfoim dual simultaneous fimctions, etc. 
which allows for efficient detection of introsions in high-speed netwod;; traffic. 

It should be strongly noted Ihat the foregoing citations do not in any way state, suggest, 
or otherwise imply that such claim language is limited in scope to the specific 
embodiments depicted in the drawings or described in the specification in tbe instant 
application. 

The Examiner has also argued that such aforementioned claim language would have 
been obvious and well known to a person skilled in the art, and noted Poiras in such 
regard. Specifically, the Examiner has argMed that the motivation to use APIs in 
order to build the intrusion detection system would have been to take advantage of 
an ahready prepared and well tested element to perform part of the required 
functionality. Appellant respectfully asserts that the alleged obviousness of utilizing 
APIs does not make appellant's specific claim language obvious, since appellant 
does not merely claim using APIs, but instead specifically claims "allowing the 
intrusion detection device to call an application program interfece configured to 
open a protocol decoding application associated with the separate data monitoring 
device> and. . .allowing tbe intrusion detection device to call an application program 
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intex&ce configured to open an alarm generation application associated with the 
separate data monitoring device." Thus, each device, as claimed by appellant, is 
allowed to call APFs with specific separate functionality such that the intmsion 
detection device is allowed to leverage the separate data monitoring device. These 
claimed features are simply non-«xistent in both Vaidya md Porras. 

In the Examiner's Answer mailed 06/23/2006, tbe Examiner argued that "applicant's 
specifications or claimfi (original or amended) do not point out any advantage in 
separation of the intrusion detection device and data monitoring device that is distinct 
from teaching of Vaidya, except for the use of APIs to invoke certain functionalities" 
and "[t]herefore, examiner did notice the use of APPs to call fimctions in separate 
modules." Appellant respectfully disagrees with flie Examiner's arguments. 

Appellant respectfully asserts tiiat Vaidya discloses diat ''[i]f the virtual processor 36 
determines that a network intrusion has occuned, it alerts a reacti on module 38. which 
initiates one of several reactions depending on the nature of the attacl^' (Col 6, lines 18- 
21 - emphasis added). Clearly^ the mere disclosure that the virtual processor 36 alerts a 
reaction module 38 simply fails to even suggest a teclmique "wherein the appEcation 
program interfaces allow the intmsion detection device to leverage the separate data 
monitoring device. ... by allowing the intmsion detection device to call an application 
program int^ace configmed to open an alarm generation application associated wi& 
the separate data monitoring device '^ (emphasis added), as claimed by appellant 

Further, Vaidya discloses that ''[t]he virtual processor 36 obtains a data nacket from a 
queue and eTdiacts MAC header infotmation, IP header infotmation, transport header 
information, and apolication information firom the data packet" (CoL 7, Imes 18-21 - 
emphasis added). However, the mere disclosure by Vaidya that the virtual processor 
direcdy obtains information from a data packet in the queue fails to even suggest a 
technique "wherein the application program interfaces allow the intrusion detection 
device to leverage the separate data monitoring device^ by allowing the intmsion 
detection device to call an application program interface configured to open a protocol 
decoding application associated with the separate data monitoring device . . (emphasis 
added), as claimed by appellant. Qearly, since the virtual processor extracts 
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infoimation from the data packet in the queue, Vaidya actually teaches away from the 
need for the intrusion detection device to '^ opcn a protocol decoding apnlication 
associated with the separate data monitoring device , . (emphasis added), as claimed by 
appellant 

Further, the Examiner argued that ''using APIs as a means to transfer infoimation 
between objects or elements of a distributed system is obvious and well known to a 
person skilled in the art and would have been obviously to a person skilled in the art to 
use the APIs in order to build the intrusion detection system invented by Vaidya." In 
addition, the Examiner argued that "[t]herefore. Examiner has established that Vaidya's 
anticipation of application programming interfeces as one of inherency, because 
Vaidya^ s system does have separate modules that exchange infoimation among one 
another." 

Appellant respectfully disagrees witfi fhe Examiner's arguments and asserts that Vaidya 
merely discloses a "data collector 10 [which] includes a communication module 34," "a 
configuration builder module 32,^' "a statefiil dynamic signature inspection (SDSI) 
virtual processor 36," and a "reaction module 38" (Col. 6, lines 1-26). In addition^ 
Vaidya discloses the use of caches to facilitate transfening data in between modules as 
seen hi items 32» 42, mi 36 of Figure 4. For example, Vaidya discloses that ''[t]he 
configuration builder module 32 temporarily stores the applicable attack signature 
profiles in an inaction cache 42" and that ''[t]he virtual processor 36 processes flie 
attack signatore profiles to determine whether the packet is associated with a netwoik 
intrusion attempt* (Col. 7, lines 32-36 - emphasis added). 

Appellant asserts that the fact that a certain result or characteristic may occur or be 
present in the prior ait is not sufficient to establish the inherency of that result or 
characteristic. In reRijckaert, 9 F.3d 1531, 1534, 28 USPQ2d 1955, 1957 (Fed Cir, 
1993); In re Oelrich, 666 F.2d 578, 581-82, 212 USPQ 323, 326 (CCPA 1981). 'To 
establish inherency, the extrinsic evidence 'must make clear that the missing 
descriptive matter is necessarily present in the thing described in the reference, and 
diat it would be so recognized by persons of ordinary skill. Inherency, however, 
may not be esteblished by probabilities or possibilities. The mere fact that a certain 



-10- 



PAGE 11/19 ' RCVD AT 8123/2006 5:50:54 PM [Eastern DayligM 



AUG. 23. 2006 3:05PW ZILKA-KOTAB, PC 



NO. 3922 P. 12 



thing may result from a given set of circumstances is not sufficient."' In re 
Robertson, 169 F.3d 743, 745, 49 USPQ2d 1949, 1950-51 (Fed. Cir. 1999). 

Li view of the limited Vaidya disclosute and the failings thereof highlighted above, 
there is absolutely no evidence in such reference fliat makes it clear that such 
missing descriptive matter is necessarily present in the Vaidjra system. In view of 
the arguments made hereinabove, any inherency argument has been adequately 
rebutted, and a notice of allowance or a specific prior art showing of such claim 
featotes, in combination with the remaining claim elements is respectfully requested. 
(SeeMPEP2112) 

Additionally, the Examiner argued that Poiras "clearly suggests the use of APIs 
(paragraphs 40 to 42 and claim 2) in development of intnlsion detection systems." 
Appellant respectfully disagrees wifli the Examiner's argument and asserts that the 
paiftgraphs from Porras relied xnpon by the Examiner merely disclose that ''using the 
Apache API 42 the plication-integrated intrusion detection process 34 inlegrates 
intmsion detection at the application laven e.g., with the web server process 32*' and 
that ''[w]hen one writes a module for the Apache web server, one defines global API 
structures in source code that establish a connection to the server code during 
linking> thus integratmg the module wifli the web server procegs" (emphasis added). 
Clearly, the disclosure by Porras that an API is used to integrate intmsion detection 
at the application layer and that the API allows the intrusion detection module to be 
linked_in with the server code thereby integrating the intmsion detection with the 
web server process teaches away from a technique *Svherein the application urogram 
interfaces allow the intrusion detection device to leverage the separate data 
monitoring device, by allowing the intrusion detection device to call an application 
program interface configured to open a protocol decoding application associated 
with the separate data monitoring device, and by allowing the intmsion detection 
device to call an application program interface configured to open an alarm 
generation apphcation associated with the separate data monitoring device" 
(emphasis added), as claimed by appellant 
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With respect to fhe 102 rejection, the Examiner is reminded that a claim is 
anticipated only if each and every element as set forth in fhe claim is found, either 
expressly or inherently described in a single prior art reference. Verdegaal Bros, v. 
Union Oil Co. Of California, 814 R2d 628, 631, 2 USPQZd 1051, 1053 (Fed. Cir. 
1987). Moreover, the identical invention must be shown in as Complete detail as 
contained in the claim, Richardson v. Suzuki Motor C<?,868 F.2d 1226, 1236, 
9USPQ2d 1913, 1920 (Fed. Cir. 1989). The elements roust be arranged as required 
by the claim, as noted above. 

With respect to the 103 rejection, to estabhsh a prima facie case of obviousness, 
diree basic criteria must be met First, there must be some suggestion or motivation, 
either in the references themselves or in the knowledge generally available to one of 
ordinary slall in the art, to modify the reference or to combine reference teachings. 
Second, theie must be a reasonable expectation of success. Finally, the prior art 
reference (or references when combined) must teach or suggest all the claim 
limitations. The teaching or suggestion to make the claimed combination and ifae 
reasonable expectation of success must both be found in the prior art and not based 
on aqppellant's disclosure. In re Vaeck,947 F.2d 488, 20 USFQ2d 1438 
(Fed.Cir.199l). Appellant respectfully asserts that at least the first and third 
elements of prima facie case of obviousness have not been met, as noted above. 

Thus, all of the independent claims are deemed allowable. Moreover, the remaining 
dependent claims are further deemed allowable, in view of dieir dependence on such 
independent claims. 

Group #2; Claim U 

With respect to independent Claim 11, appellant incorporates the arguments made 
hereinabove regarditig Group #1 . Further, it is noted that Claim 1 1 includes 
additional language requiring a technique of"... allowing the intrusion detection 
device to call at least one application program interface configured to open 
applications of the data monitoring device; and performing intmsion detection at the 
intrusion detection device utilizing at least one of the apphcations of the data 
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monitoriiig device" (emphasis added). The Examiner relied upon items 26, 32, 34, 
36, and 39 of Fig. %, and CoL 6, lines 1-11 (see below) from Vaidya to make a prior 
ait shoving of sach claim langaage. 
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trsmsanicclng and receiving Infioxiiiabion to dnd from fche data 
repoflitory 12. A configuration builder module 32 assigns a set 
of signature profiles to eacli network object and stores data 
representative of associations between network objects and 
attack signature profile sets in a signature profile memory 
39, The coAf iguratioix builder module 32 accesses tbe 
appropriate atteck signature profile setd during operation of 
the data collector 10 and provides the attack signature 
profiles to a suteful dyzUOnic signatiure inspection (SDSI) 
virtual processor 36. The attack signature profiles include a 
set of instructions which the virtual processor 36 executes to 
determine whether a particular data packet is associated with 
a network intrusion. Although a preferred embodiment of the 
processor employs the software based virtual processor 36 to 
execute attack signature profiles, a hardware based processor 
can be employed in the place of the virtual processor SS." 
(vaidya. Col. 6, lines l-ll *- emphasis added) 



The Examiner has jfurther aigued Uiat "the configuration builder module (item 32) 
allows the intrusion detection device (item 36) access attack signature profiles stored 
in signature profile memoiy (item 39)." However, the excerpts merely suggest a 
technique where "[t]he configuration builder module 32 accesses the appropriate 
attack signature profile sets during operation of the data collector 10 and provides 
the attack signature profiles to a statefixl dynamic signature inspection (SDSI) virtual 
processor 36" (en^hasis added). Further^ the Examiner has argued ±at "the 
cornmtmication module (item 34) allows intrusion detection device access the data 
in database handler (item 26).*^ Again, appellant respectfully asserts that the excerpt 
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simply teaches a technique where**[e]ach data collector 10 inchides a 
cDinmunication modide 34 for transmitting attd receiving igfoimation to and from 
the data repository 12" (emphasis added). 

To this end, there is clearly not even a suggestion in the above exceipts of a 
technique of 'allowing the intrusion detection device to call at least one anplication 
program interface configured to open applications of the data monitoring device : and 
performing intrusion detection at the intrusion detection device utilizmg at least one 
of the apphcations of the data monitoring device'' (emphasis added), as claimed by 
appellant. 

In the Examiner's Answer mailed 06/23/2006, the &caminer argued that "column 6 
lines 1-1 1 clearly show the exchange of data between difibrent modules of Vaidya's 
system." In addition, the Examiner argues that iiiherenQy requires the modules 
to have the capability to initiate an action on a separate device, which is the essence 
of Application Programming Interfaces." Again, appellant respectfully disagrees 
with the Examiner's inherency arguments and incorporates the arguments made 
hereinabove regarding Issue #3, Group #1. 

Ixi addition^ appellant respectfully asserts that CoL 6| lines 1-11 in Vaidya relied 
upon by the Examiner merely disclose that "[t]he configuration builder module 32 
accesses the appropriate attack signatore profile sets during operation of the data 
collector 10 and provides the attack signature profiles to a stateful dynamic signature 
inspection (SDSI) vfatual processor 36.*' However^ in Figure 4 and in Col. 7, lines 
32-36, Vaidya further discloses that "[t]he configuration builder module 32 
temporarily stores the applicable attack signature profiles in an instruction cacbe 42" 
and that ''[t]he virtual processor 36 processes the attack signature profiles to 
determine whether the packet is associated with a network intrusion attempt^ 
(emphasis added). However, Vaidya's mere disclosure that the configuration 
builder module 32 stores attack signature profiles in instruction cache 42 for the 
virtual processor 36 fails to even suggest "allowing the intrusion detection device to 
caU at least one application program interface configured to open appPcations of 
the data monitoring device: and performing intrusion detection at the intrusion 
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detection device utilizing at least one of the applications of the data momtoting 
device" (emphasis added), as claimed by appellant. 



Again, in view of the limited Vaidya disclosure and the failings thereof highlighted 
above, there is absolutely no evidence in snch reference tfiat makes it clear that the 
admitted missing descriptive matter is necessarily present in the Vaidya system. In 
view of the arguments made hereinabove, any inherency argument has been 
adequately rebutted, and a notice of allowance or a specific prior art showing of such 
claim features, in combination with the remaining claim elements is respectfully 
requested. (See MPEP 21 12) 

Group #3; Claim 16 



With respect to dependent Claim 16, the Examiner has relied on the following 
excerpts from tbe Vaidya reference to make a prior art showing of appellant's 
claimed technique 'Svherem the application program interfaces provide parsing of 
signatures used in signature matching^ (see Claim 16). 

""The se^s^ei^tisil eignatuce attribute re£dr5 to nniltlple 
eaeprdsfliona which a.re sequentially execmted on successively 
transmitted data packets aeeociated with an application 
session. If each of the expredsiona deteccs the event it was 
deeigned to detect, a network intxueion has heen detected. 

A more formal description of an attack signature in a loose 
BNR parsing grammar follows : 

Pattern := Hex or ASCII string of characters 

Offset := integer 

Protocol ;= one of the conmunication prococolg, ie- Mine- 

layer 

i^GCwork- layer/ Transport-layer, or Application- 
layer 

Exeraet_Type:° Byte, Word, Long Word ox string 
Header_Field:= Predefined keywords for communication 

protocol header field© 
VariablQ_Ka[ne : = ASCII character String Name 

SP 3e<Pattern, Offset, Proi:ocol> . . . Search 

Primitive 

VP :=<Extract_Type,. Of fact, Protocol> . . . Value 

Primitive 

OP : s=<Logical> . | . <ArithTnetic> . 1 . <Bit-wide> 

I <A8eociation> | „ Operators 
Basic_Expression:a <SP>. | .<OP>. | .<Header^Field. | -<$P OP SP>- 
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I . <SP OP VP - 1 - <SP OP Header_Pield> 
Assignment ;= <variatole_Matne> <Basic_ExpresBion> 
CoiRplex_Expression := { (<Basic_Bxpre3eion> OP <Badic 

Bxpression>) . , . ) 
J&sprassion ;= <Complex_Expreasion> . | . 

<Coraplex_ExpreBsion>" ; " 

{ (<AssignTnent>" ; " ) , . . } 
5 igiiature_At tributes := <Simple> ,|. <count:er-Timer-Bafied> . | . 

< Seqiient i al - occurrence^ 
Atcack_Signatiire ;= <Signature_Attribute> { <Expression> . . . 

(Vsidya, col. 10, lines 17-45 - emphasis added) 

Appellant respectf\illy asserts fhat fbe excerpt above simply does not meet all of 
appellant's claim limitatioiis. Specifically, the Vaidya excexpt teaches '\ . .attack 
signature in a loose BKR parsing grammar. . and that ttie '\ .. sequential signature 
attribtite refers to multiple expressions which ate sequentially executed on successively 
transmitted data packets. . The BNR parsing grammar and multiple expressions, as 
described by Vaidya, clearly do not, however, meet appellant's specific claim language, 
since Vaidya fails to even suggest a technique "wherein the application program 
interfaces ptovide parsing ofsignatores used in signature matching" (emphasis added), 
as claimed by appellant 

In the Examiner's Answer mailed 06/23/2006, the Examiner argued that "the 
mention[ed] excerpt of Vaidya (Column 10, lines 17-45) clearly shows an attack 
signature parsed" and "[t]herefore, parsing attack signatures are clearly disclosed by 
Vaidya.'* Appellant respectfully disagrees and asserts that flie excerpt from Vaidya 
merely discloses a *f ormal description of an attack signature in a loose BNR parsmg 
grammar." In addition. Col, 10, lines 46-48 in Vaidya disclose "a method for 
processing attack signatuie profiles includes obtaminj[ an attack signature profile from 
the instruction cache 42 in step 122'* (emphasis added). However, merely disclosing the 
description of an attack signature in loose BNR parsing grannnar and that fte attack 
signature profile is obtained fixmi the insttuctiofi cache 42 fails to even suggest a 
technique ''wherein the a pplication program interfaces provide par flinf^ nf jrifyfiatiireg 
used in signature matching' ^ (enq>hasis added), as claimed by appellant. Clearly, since 
the attack signature is in the instruction cache 42, there is not even a need to use 
"annlication prooTam interfaces [to! provide parsings of signatures used in signature 
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matching " (emphasis added), as claimed t>y appellant. Thus, Vudya aclnally teaches 
away in this legard. 
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In the event a telephone conversation would expedite the prosecution of this application, the 
Examiner may reach the undersigned at (408) 971-2573. For payment of any additional fees due in 
connection with the filing of this paper, the Commissioner is a\ithorized to charge such fees to 
Deposit Account No. 50-1351 (Order No. NAI1P317/01.185.01). 



Zilka-Kofab, P.C. 

P.O. Box 721120 

San Jose, California 95172-1120 

Telephone: (408) 971-2573 

Facsimile: (408)971-4660 



RespectMly 

By: 

RevinJ.Zilka 
Reg. No, 41. 




Date: 
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